Whether you are a Fortune 500 company, a local bakery, or are self-employed and work from a home office; you share a common business goal—to maintain your operation and productivity. You also share a new challenge that ALL companies face…cybersecurity.
Traditionally, large companies and corporations have been popular targets and have threats that range from corporate espionage/sabotage to even other nation states.
However, small businesses are not immune and, for some hackers, are actually the more desired target. The unfortunate truth is that many small businesses are “easy marks.” Large companies and corporations are spending a lot of money to protect themselves. Small businesses typically do not have sufficient, or any, security budgets and spend little to nothing to defend themselves from security threats. Hackers know this and many have turned their attention to these easier targets. Relying on the “fly below the radar” strategy to provide a security blanket for a small business is no longer valid.
For hackers testing their abilities, it is much safer and lower risk for them to practice on a small business that most likely has minimal defenses and technical ability. This may be a one-time thing from this attacker. Your website is unavailable for a while, you fix it, then forget about it, right? What are the chances this happens again? The problem is that there is a good chance your website will get labeled as an “easy mark” in the hacker community. A week or two later, you get attacked again, then again, then again.
Consider how this potential disruption affects your business? If your site is down, how can potential customers find your business, contact you, or learn about your products and services? Even worse is when you sell from your website. How much in sales do you lose for every hour or day your site is unavailable? This is the simplest case.
There are worse motivations for hackers to target small businesses. Site defacement or alteration can range from someone just trying to be funny, too obscene or agenda-driven modifications. One of the more extreme scenarios I have seen was a small business that continued to be hacked and their site defaced with potentially terrorist-related rhetoric. What would your customers think if they go to your webpage and are presented with obscene or agenda-driven content? You could offend and even lose current or potential customers.
Other things hackers can do to small business websites use them as decoys or hop-off points for other attacks. In this scenario, once an attacker compromises your website, they don’t do anything visible to your website, but instead, use it as a jump point to mask their attacks on other targets. Depending on the attack and the damage they do from your site, you could be forced to aid in a criminal investigation or could even be held liable for some or all of the damage. This may seem crazy, but if it can be proven that you blatantly did not put any effort to prevent the attack from happening, you may be held liable.
These days, many small businesses use their websites to store data like a client or lead lists or maybe even personal information about customers, employees, and/or vendors. How big of an impact would it be on your small business if this information was stolen? The answers will vary from business to business, but if your site stores credit card data, you’re in big trouble. Of course, if your site does store credit card data you already know about this and are implementing your legal obligations for protection and assurance.
The FCC also stresses the importance of cybersecurity awareness for small businesses. They provide tips and guidance for small businesses to follow to help protect themselves against ever-growing cybersecurity threats. They even provide the Small Biz Cyber Planner 2.0 tool to help businesses develop their company cyber and information assurance plans and policies. This is a great tool that lets you select individual topics based on your company’s specific internet and security needs. Now, the tool does not fix all your security issues or even tell you exactly how to fix them. What it does do is give you high-level guidance and a plan specific to your company that you could then research or security experts (like us) can guide you on how to implement.
There is no such thing as perfect security. Given the time, resources and motivation, there is not a tech system in the world that can’t be hacked or exploited in some way. The key to implementing defensive security protection is to reduce your threat risk by minimizing your attack potential. I am not trying to scare anyone. I just want you to be aware of the risks, threats, and resources out there to help.